Topic
  • 1 reply
  • Latest Post - ‏2015-01-20T17:21:11Z by Taylor.Osmun (IBM)
lin-zhao
lin-zhao
28 Posts

Pinned topic payload field for events in 7.2.3 doesn't contain useful information

‏2015-01-19T21:53:26Z |

http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_aql_even_flow_fields_ref.html

This documentation lists payload as supported field for events. But this field doesn't seem to be correctly returned via API. The result is a list of "[B@xxxx" values instead of the actual raw log. This works on the 7.2.2 demo server.

Is this field supported? If not is there a way to get the raw log payload from QRadar?

For example:

>curl --user user:password -k -d "query_expression=SELECT payload from events LIMIT 5" https://qrdemo3/restapi/api/ariel/searches

{"processed_record_count":0,"query_execution_time":0,"progress":0,"record_count":0,"status":"EXECUTE","search_id":"51d213f7-3e56-4bd3-8f3f-b67d7b66b599","save_results":false}

 

>curl --user user:password -k https://qrdemo3/restapi/api/ariel/searches/51d213f7-3e56-4bd3-8f3f-b67d7b66b599/results

{"events":[{"payload":"[B@b51d054b"},

{"payload":"[B@15fb444f"},

{"payload":"[B@82499e14"},

{"payload":"[B@3f213008"},

{"payload":"[B@dd4a0206"}]}

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts
    ACCEPTED ANSWER

    Re: payload field for events in 7.2.3 doesn't contain useful information

    ‏2015-01-20T17:21:11Z  

    Hi,

    The default behaviour of selecting column data is to grab the string representation. payloads are stored as byte[] on the Java side of our framework, and so the default result you see is byte[].toString().

    As a result, you need to specify that you would like the UTF8 encoding of the byte[] (payload), and can be queried like this:

    curl --user user:password -k -d "query_expression=SELECT utf8(payload) from events LIMIT 5" https://qrdemo3/restapi/api/ariel/searches

    - Taylor

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: payload field for events in 7.2.3 doesn't contain useful information

    ‏2015-01-20T17:21:11Z  

    Hi,

    The default behaviour of selecting column data is to grab the string representation. payloads are stored as byte[] on the Java side of our framework, and so the default result you see is byte[].toString().

    As a result, you need to specify that you would like the UTF8 encoding of the byte[] (payload), and can be queried like this:

    curl --user user:password -k -d "query_expression=SELECT utf8(payload) from events LIMIT 5" https://qrdemo3/restapi/api/ariel/searches

    - Taylor